5 Reasons to Get Certified as an Enterprise Risk Manager

January 17, 2019

As risk management is a relatively young discipline without an identifiable career path, those who forge a path in their respective industries can provide both their career and organization with a competitive advantage. Some wonder whether going through a certification program is worth the time and effort, but here are five reasons to consider:

The high demand for talent in the field
Though every organization can benefit from a robust risk function, it’s often only regulated sectors such as banking and insurance that will have established one. At the same time, risk management is increasingly becoming formalised and integrated. Organizations see the need for risk management in order to keep up with changing economic and market needs, but leaders are finding it hard to find the right talent to take up the challenge of implementing risk management best practices. Thus, those certified to have a set of skills and knowledge will help you stand out to prospective employers.

Learn how to approach organisational objectives holistically
It’s human nature to stick to what we’re comfortable with, whether it’s because of our background experience or our specific interests. Chances are, risk managers have come to their line of work from a variety of different departments or business functions. However, ERM is about breaking down the traditional silo-ed approach of risk management, by looking at big-picture objectives and encouraging a collaborative, holistic approach. As such, an indicator of a good risk manager is the ability to take into account multiple perspectives — more so when it comes to Enterprise Risk Management.

Build a network
In a structured training program, you meet like-minded peers and mentors equally committed to their career ambitions and growth. The professional relationships you foster and the network you build will be an invaluable resource — not just for the opportunities you can gain professionally, but also for the shared knowledge you will have access to from fellow risk practitioners.

Advance in your career
Risk management was a discipline that emerged through ad hoc needs, and until now, professionals still often come to this field of work by learning and gaining experience on the job. There is no clear, mapped out path for being a risk manager. However, by becoming certified, you are signalling to your current as well as potential employers that not only are you committed to advancing as a management professional and leader, you also have the skills and knowhow to add immense value to any organization. Again, given the relatively underdeveloped nature of the discipline, professionals who have built up a skillset in ERM will be pioneers in relatively uncharted territory.

Make decisions with confidence
Effective ERM allows you to improve the strategic decision-making made at the top levels of your organization. By going through a formal certification program, you gain an arsenal of formal skills and knowledge that you can pull from. A large part of effective risk management is creating and identifying opportunities, aligning any value-adding activities to organisational activities; by becoming certified in ERM, you’ll have the facts, qualification, and authority to back up the strategic decisions you want to make. The best practices and case studies you would have learned about will arm you with the confidence to guide your organization towards achieving its objectives.

Whether you’re just starting out as a risk manager or have a few years under your belt, you will be able to benefit from gaining a certification in Enterprise Risk Management — both for your professional development as well as your career advancement.

4 Considerations for Fraud Risk Management

December 19, 2018

Corporate fraud is a tale as old as time. The total costs of a fraud attempt and the complete set of risks facing a financial institution in the aftermath of a fraud attack often go far beyond the fraud losses itself. That is, organizations must also account for legal costs, investigation costs, reputational risks, as well as eroded confidence and customer loss. An effective fraud framework will include prevention, detection, and deterrence. Organizations often focus on prevention and detection and neglect fraud deterrence, which involves proactive rather than reactive measures. Given the high occurrence and costs of fraud, both financial and reputational, organizations with successful fraud management frameworks in place could have an edge over competitors.

With billions of dollars that can be lost due to fraud, organizations are increasingly concerned with fraud risk management, looking towards a more proactive approach rather than a compliance-driven one. Read on for four important considerations in fraud risk management:

1. Governance and Tone from the Top

Given the high stakes involved, it is the Board and top management that need to prioritise fraud risk management – setting the tone at the top so that it ripples throughout the organization. Policies and processes for prevention and detection are only one part of the story; in order to minimize any losses attributed to fraud, it’s vital to have watertight reporting and communication systems so that the Board and management can make timely decisions in response to information provided to them. Other considerations involved include investigation, whistleblower protection, defined roles and responsibilities, performance monitoring, and more.

2. Fraud Prevention and Detection

Ideally, an organization will have the systems in place to prevent fraud, rather than having to detect fraud after it occurs. Developing effective policies and procedures, including ensuring protections for whistleblowers, can also act as a deterrence to potential wrongdoers. Fraud awareness from the top-down also enables communication and cooperation across the organization for continuous improvements to the systems in place.

Fraud prevention cannot always be possible. To this end, an important objective in a fraud risk management program is to minimize the elapsed time between fraud incidents and their detection. Mechanisms in place for faster detection of fraud should take into consideration common indicators of fraudulent activity in order for efficient monitoring and reporting.

3. Monitoring and Reporting

As mentioned, fraud can have far-reaching implications; fraud incidents can involve legal and civil liabilities in addition to the financial and reputational hits to the company. The set up of comprehensive processes and responsibilities in place is important so that when an incident does occur, the right responses can be triggered according to plan. In turn, those with the right information can take the timely action needed.

4. Technology-Enabled Fraud Risk Management

Just as much business is moving towards digital, crime is too. With a wide range of data stored in the cloud: there is large swatches of important information that is vulnerable to exploitation, including customer information and profiles, transaction data, related parties’ information, and more. This means that fraud prevention and detection must also be focused on the digital. Of course, with the large amount of data, organizations now also have the opportunity to use AI or Machine Learning to analyse and process data accurately in order to detect, prevent, and report on suspicious activity.  Banks in the UK such as HSBC, RBS, Barclays and Lloyds have begun to leverage on new technologies, creating consolidated platforms to fight fraud as well as collect information on the patterns that indicate the incidence of fraud.

Just as with any risk, fraud cannot be completely eradicated. However, considering that organizations worldwide still often struggle with fraud risk management, a robust program to deal with fraud can become a strong competitive differentiator. Coupled with the digitization of fraud, organizations seeking to stay ahead of curve should maintain a proactive approach to fraud risk management, as part of an overall Enterprise Risk Management framework.

What Next?

Seeking to gain the skills needed to establish a robust fraud risk management? Sign up for our module on Fraud Risk Management, as part of of our Enterprise Risk Technician (ERT®) certification program.

Corporate Culture and Risk Culture: The Chicken or The Egg?

December 10, 2018

Last week, the IERP held a Chief Risk Officer Networking Group (CRONG), where Mr. Khairul Azwa, director of risk and compliance at a prominent GLIC, spoke on his experiences developing the risk culture in his organization. With a background in banking, he had started as a treasury dealer, eventually going on to become a risk manager at one of the GLICs in Malaysia. One of the challenges that he faced was setting a new risk management department from scratch. A task that he gave himself three to five years to develop. At the company, he noticed two traits that were ingrained in their DNA, firstly they have a strong culture of service and secondly, they cannot afford to make mistakes as that will have repercussions on not only the company, but also on careers, stakeholders and the country.

In developing risk culture at his company, he had to start from the ground up; there was no strong base to begin with. With staff from various backgrounds (i.e. government service, banking, corporates), he had to begin with identifying the staff, top management and the environment of the company. And by that, Mr. KA needed to have a bird’s eye view of the company, as well as build on the core businesses. In order to achieve set goals, the staff in the company needs to be educated on risk management. Each staff member needs to know who will take ownership of the risks and/or projects and how that will be done within acceptable standards of behavior. Mr. KA emphasized that creating a culture is not a an overnight project. It will take years before culture can be part of a company’s DNA.

In the process, there were several challenges he faced. Firstly, the organization needed risk management but no one had any idea how that would look like. Often, there was disagreement in which ideas should be implemented, and how. Besides that, he had a lot of resistance from various levels in creating the risk culture in the company because of the different background, and how to get it done. No one would agree on what they are doing, the reason why they needed to do it.

In spite of the challenges, Mr. KA likened creating risk culture to planting a seed. Where there is no risk management strategy in place, simply start small. Through the risk management process, risk culture can grow organically from staff and interdepartmental cooperation. With risk management in action, an ideal result is that its positive impact will be recognised, creating a chain of positive feedback across the organisation. One successful case can lead the way for further risk management activities, and so on.

Usually, the instinct in facing risk is to avoid or prevent it, but as a risk practitioner, those risks should be seen as opportunities. Mr. KA drew from his experience at his company: before, there was no cohesive team, no solid corporate culture; he recognized these weaknesses and turned them into opportunities. With no firmly embedded corporate culture, there was the opportunity to embed a risk aware corporate culture into the DNA.

Development of good risk management is from focused corporate vision, mission and values. It should be formulated in an environment that is “Risk Aware”. The right culture is needed in order for effective risk management practices, and the role of the risk management department is to set the standards for acceptable conduct. Risk management should not overwhelm the corporate objectives. In the end good risk management is good management.

In Mr. KA’s view, there are several key factors to risk culture:

  1. Risk practitioners always need to interact and intervene at the ground level.
  2. Risk practitioners need to be good listeners and be willing to take action.
  3. Risk practitioners need to facilitate cooperation among staff. Lack of communication and a “silo” mentality is a major impediment to risk awareness and good risk management.

All in all, Mr. KA concluded that risk culture is neither egg nor chicken. Corporate culture is risk culture and vice versa. In order to create a good culture from risk management, risk practitioners need to be a good ambassador. To ensure an enduring legacy, a risk-aware corporate culture is vital so that both leaders and staff do what’s best for the organisation.

Top 10 Skills for Succeeding in Enterprise Risk Management

December 3, 2018

Many have the impression that risk managers just focus on the technical aspects of risk. While the technical is important, it is just one of the aspects in Enterprise Risk Management (ERM). There are many skills needed to succeed in ERM but it is not just about number crunching, ‘challenging’ others, validating internal controls, any form of internal or external auditing, or EHS specialism. ERM is not all about identifying risk either. During our Tea Talk on 16 October, Mr. Ramesh Pillai, IERP® Chairman of the Board of Governors, spoke on the importance of EQ and soft skills in ERM. EQ and soft skills, while often vastly underrated, are what will differentiate the experienced, effective risk managers from the average ones.

These are the top 10 EQ and soft skills a Risk Manager or Risk Practitioner needs in order to succeed in Risk Management: Read more

Environmental Risks and Business Continuity Management

November 21, 2018

The World Economic Forum has named climate and other environmental risks as a top global risk for for seven consecutive years. At the same time, leaders at both state and business levels have generally failed to build the sustainability, resilience, and agility needed to handle environmental threats.

According to a 2016 report by ClimateWise, there is a widening gap between insured losses and total economic losses from climate-related natural catastrophes. In 2015, this gap was more than USD 100 billion. Both countries and businesses do not completely understand their risk exposures and thus are inadequately prepared for adverse events. Read more

4 Ways Risk Management has Evolved

November 7, 2018

In response to a changing global economy as well as to regulatory and customer demands, risk management has evolved from a reactive and independent function, to one that is increasingly connected to strategic decision-making, with its own developing standards and best practices. In short, risk management has undergone considerable development: broadening its scope from just credit, market, and operational issues. Enterprise Risk Management (ERM) is currently the most advanced iteration of risk management, and seeks to improve on conventional approaches while taking into account current and future needs.

In a study on Risk Management in 2017:

  • 19% of respondents said their risk management activities are coordinated across specific lines of business.
  • 69% of respondents say skills shortage in new & emerging tech impedes risk function effectiveness.
  • 59% say they are responding to cost pressures by aligning management and employee skills with the changing needs of the risk function.
  • 52% are adopting a standardised model to manage market risk.

These findings point towards a risk function that encompasses greater scope and complexity, with the capacity to play a bigger role in a company’s decision-making processes and everyday operations. At the same time, the growing need for risk management is obstructed by lack of awareness at the top-level as well as the lack of a defined career or professional development path — both of which contribute to organisations struggling in improving the effectiveness of their risk function.

Here are a 4 fundamental shifts in risk management in the past decade:

1. Increasing focus on the big picture: More and more, the risk function is playing a greater role in the C-suite. While a large number of organisations and industries still suffer from the lack of robust risk management frameworks and processes, many recognise that risk management can be used as a powerful tool to inform business decisions. Risk management is no longer just seen as a method to keep organisations safe and protected from external harm, but a way to also have a holistic view of opportunities and threats, and how they align with business needs and objectives.

2. The growing importance of multidisciplinary knowledge and skills: Risk managers have traditionally started from a finance or auditing background. In the current iteration of risk management, however, risk professionals can come from a variety of fields and work experience, whether it’s marketing, sales, IT, and so on. This can prove to be a strength for those seeking to move beyond a checked-box approach to risk. The growing prominence of risk function makes it vital for risk managers to understand not only the business side of things, but also how other functions fit into the whole picture.

3. Increasing focus on outcomes: ERM moves the focus away from just assessing the probabilities of risk events and their effects on systems, operations, and processes. Now, there is greater focus on the relationship between risks and organisational objectives. Rather than just looking at the likelihood at the event, the best practice is to look at how objectives will be impacted by an event. By connecting risks to outcomes, ERM provides a guide to decision-makers on which risks are most important to address, and which can be placed as a lower priority. In this way, you can then increase the chances of achieving set objectives. 

4. Internal risks and culture: Risk management has moved from being an ‘outsider’ function; though risk managers still have to maintain a certain level of independence and objectivity, their success also depends on how well they create relationships and understand the various business units. While it has been useful to evaluate the external risks to an organization, the risk function also has the potential to make improvements to internal processes, systems, and culture so that there is enterprise-wide efforts towards certain outcomes. A risk-aware culture is much talked-about but is often an elusive, vague concept to apply. Using risk-based thinking allows you to determine the best tools and approaches for each context or challenge you are faced with. Relying on the limited scope of audit and compliance functions to identify gaps will only leave organisations stuck at a certain level of performance or growth.

The Takeaway

In the last decade or so, the risk management function has transformed from a narrow, limited discipline into an interdisciplinary field with a comprehensive, integrated approach. This means that risk management can no longer be a tacked-on function. Effective risk management requires investments in time, money, and talent, and an integration into the organisation’s efforts towards a long-term vision — a factor that can decrease the willingness to invest in the first place. However, we are in a new era of disruption innovation, geopolitical upheavals, and environmental catastrophes. The interdependencies of the global economies mean that it’s no longer sufficient for individuals or individual organisations to practice effective risk management. Government, regulatory bodies, and industry authorities also have their part to play in moving the discipline forward so that sustainability can be achieved on a collective, macro level.

Learn more about Enterprise Risk Management best practices and standards in our flagship ERM® Certification Program. 

Creating Value out of Enterprise Risk Management

October 22, 2018

At our Tea Talk session on 12th September, IERP® faculty member Zaffarin Zanal gave a featured talk on Creating Value out of ERM. Zaff started off by stating that—to strong murmurs of agreement across the room of risk practitioners—implementing ERM is hard.  The typical difficulty with implementing ERM is that while risk professionals understand the value for ERM, the top management (as well as the rest of the organization) might not readily see its value. Zaff noted that when something has perceived value, psychologically there is a ‘pull factor’ to it. It doesn’t require much forceful selling (the ‘push  factor’). Read more

3 Benefits of Developing Emotional Intelligence as an Enterprise Risk Practitioner

October 16, 2018

In implementing enterprise risk management in your organisation, people will be your most important resource. It doesn’t matter whether you are seeking to establish or support enterprise risk management in your organisation, making strategic decisions for your company, or managing the talent.  Establishing a good network of working relationships is essential to your success as a risk practitioner, and developing your emotional intelligence is what will enable you to influence top decisions and culture in your organisation – without using overly aggressive, fear-based tactics. Read more

Cybersecurity Oversight in the Boardroom

October 10, 2018

A little more than a year ago, Equifax disclosed to the public that it had experienced a cyberattack, during which hackers stole the names, Social Security numbers, birthdates, and addresses of 147.7 million Americans – more than half the US population. Since then, other major data breach incidents have been reported worldwide, involving—among many other entities—Facebook, fitness tracking app Strava, Adidas, Under Armour, and identification authority Aadhar (compromising the personal information of all 1.1 billion Indian citizens registered under its service). Read more

Business Impact Analysis: 5 Tips for Accuracy

October 3, 2018

A Business Impact Analysis is a critical component of a Business Continuity Management framework – required to understand the organization’s interdependencies and full range of operational complexities.

The goal of a Business Impact Analysis (BIA) is to identify the crucial business functions that will be affected in the event of a natural or man-made disaster. BIA findings allow leaders to set up recovery priorities, plan out recovery strategies, allocate the appropriate resources, and determine important metrics such as Recovery Time Objectives (RTO), a measure of the maximum time within which business functions should recover as close to normal during disaster recovery. Read more

Is there Practical Use to the Statement on Risk Management and Internal Control (SORMIC)?

September 24, 2018

In Malaysia, the Statement on Risk Management and Internal Control (SORMIC) is a requirement from the Securities Commission, in accordance with the Malaysian Code of Corporate Governance (MCCG) 2017. On 14th September 2018, a Tea Talk was held at the IERP® International Secretariat, featuring a presentation crafting an effective and practical SORMIC – by Mr. Ramesh Pillai, Group Managing Director of Friday Concepts Risk Consulting. Read more

Global Conference Highlight: Using Enterprise Risk Management as a Strategic Tool

September 7, 2018

A common excuse given by those who are not convinced of the use of risk management is that there is ‘no time’ for it, especially if management often has to make quick decisions. However, Leonard Ariff Abdul Shatar, Group Managing Director of CCM Duopharma Biotech, notes that many mistakes (and the subsequent costs) could have been avoided if additional thought and effort had been put in. As a public-listed company, it’s a requirement for CCM to have a risk management function. For CCM Duopharma Biotech, risk management was split up as it was thought that the audit function was overshadowing it. Read more

Towards an Objective-Centric Approach to Risk Management

August 21, 2018

With Enterprise Risk Management becoming increasingly institutionalized, global best practices are continually under revision as international standards-setting bodies such as ISO or COSO seek to improve on ERM methods and guidelines. A core development in recent years has been the recognition that an objective-centric approach to ERM yields greater outcomes compared to the traditional taxonomy approach. At the same time, the constant evolution of ERM practices means that there is often a gap where organizations are slow to correct outdated methodologies – due to the complexity and resources required to change existing processes, structures, and culture.

Read more